diff options
| author | Christina Fu <cfu@redhat.com> | 2017-06-05 08:50:25 -0700 |
|---|---|---|
| committer | Christina Fu <cfu@redhat.com> | 2017-06-05 11:18:38 -0700 |
| commit | aa39354dbbf9df404f6ad374c837db0c421f2705 (patch) | |
| tree | 5d86f32220481ec94b240d3904b27adbe7e565e2 | |
| parent | 6f3b1e546d43871eee9e57fb21735601a4fce0f0 (diff) | |
| download | pki-aa39354dbbf9df404f6ad374c837db0c421f2705.tar.gz pki-aa39354dbbf9df404f6ad374c837db0c421f2705.tar.xz pki-aa39354dbbf9df404f6ad374c837db0c421f2705.zip | |
Ticket #2617 part2: add revocation check to signing cert
| -rw-r--r-- | base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java | 19 | ||||
| -rw-r--r-- | base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java | 2 |
2 files changed, 20 insertions, 1 deletions
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java index 2128c1e30..a18c25ee3 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java @@ -29,6 +29,7 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.math.BigInteger; +import java.security.cert.CertificateExpiredException; import java.security.MessageDigest; import java.security.PublicKey; import java.util.Enumeration; @@ -1076,7 +1077,10 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, si.verify(digest, id, pubK); } CMS.debug(method + "finished checking signature"); + // verify signer's certificate using the revocator + // ...or not; I think it just checks usage and + // validity, but not revocation status if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) { CMS.debug(method + "CMC signature failed to be verified"); s.close(); @@ -1086,6 +1090,21 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, } // At this point, the signature has been verified; + // now check revocation status of the cert + if (CMS.isRevoked(x509Certs)) { + CMS.debug(method + "CMC signing cert is a revoked certificate"); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + try { //do this again anyways + cert.checkValidity(); + } catch (CertificateExpiredException e) { + CMS.debug(method + "CMC signing cert is an expired certificate"); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } catch (Exception e) { + CMS.debug(method + e.toString()); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + IAuthToken tempToken = new AuthToken(null); /* netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); diff --git a/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java b/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java index 998d7e261..ae450fab4 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java +++ b/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java @@ -168,7 +168,7 @@ public class CertUserDBAuthentication implements IAuthManager, ICertUserDBAuthen try { user = (User) mCULocator.locateUser(certs); } catch (EUsrGrpException e) { - CMS.debug("CertUserDBAuthentication: cannot map certificate to any user"); + CMS.debug("CertUserDBAuthentication: cannot map certificate to any user" + e); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_AGENT_AUTH_FAILED", x509Certs[0].getSerialNumber() .toString(16), x509Certs[0].getSubjectDN().toString(), e.toString())); throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); |